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Abstract. We consider the problem of uniform sampling of points on an algebraic variety. 
Specifically, we develop a randomized algorithm that, given a small set of multivariate 
polynomials over a sufficiently large finite field, produces a common zero of the polynomials 
almost uniformly at random. The statistical distance between the output distribution of 
the algorithm and the uniform distribution on the set of common zeros is polynomially 
small in the field size, and the running time of the algorithm is polynomial in the description 
of the polynomials and their degrees provided that the number of the polynomials is a 
constant. 



1. Introduction 

A natural and important class of problems in computer science deals with random 
generation of objects satisfying certain properties. More precisely, one is interested in an 
efficient algorithm that, given a compact description of a set of objects, outputs an element 
in the set uniformly at random, where the exact meaning of "compact" depends on the 
specific problem in question. 

Uniform sampling typically arises for problems in NP. Namely, given an instance be- 
longing to a language in NP, one aims to produce a witness uniformly at random. Here, 
the requirement is stronger than that of decision and search problems. In a seminal paper, 
Jerrum, Valiant and Vazirani [8] gave a unified framework for this problem and showed 
that, for polynomial-time verifiable relations xRy, uniform sampling of a witness y for a 
given instance x is reducible to approximate counting of the witnesses, and hence, can be 
efficiently accomplished using a oracle. It is natural to ask whether the requirement 
for an oracle can be lifted. In fact, this is the case; a result of Bellare, Goldreich, and 
Petrank [3] shows that an NP oracle is sufficient and also necessary for uniform sampling of 
NP witnesses. 

The NP sampling problem can be equivalently stated as follows: Given a boolean cir- 
cuit of polynomially bounded size, sample an input that produces the output 1 (if possible), 
uniformly at random among all possibilities. This problem can be naturally generalized to 
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models of computation other than small boolean circuits, and an interesting question to 
ask is the following: For what restricted models, the uniform (or almost-uniform) sampling 
problem is efficiently solvable (e.g., by polynomial-time algorithms or polynomial-sized cir- 
cuits) without the need for an additional oracle? Of course if the role of the NP oracle 
in [3] can be replaced by a weaker oracle that can be efficiently implemented, that would 
immediately imply an efficient uniform sampler. While for general NP relations the full 
power of an NP oracle is necessary, this might not be the case for more restricted models. 

In this work, we study the sampling problem for the restricted model of polynomial 
functions. A polynomial function of degree d over a field F (that we assume to be finite) 
is a mapping / : F n — > F m such that every coordinate of the output can be computed by 
an n-variate polynomial of total degree at most d over F. The corresponding sampling 
problem (that we call variety sampling) is defined as follows: Given a polynomial function, 
find a pre-image of a given output (that can be considered the zero vector without loss of 
generality) uniformly at random. Hence, in this problem one seeks to sample a uniformly 
random point on a given algebraic variety. It is not difficult to show that this problem is, in 
general, NP-hard. Hence, it is inevitable to relax the generality of the problem if one hopes 
to obtain an efficient solution without the need for an NP oracle. Accordingly, we restrict 
ourselves to the case where 

(1) The co-dimension of the variety (or, the number of the polynomials that define the 
variety) is small, 

(2) The underlying field is sufficiently large, 

(3) The output distribution is only required to be statistically close to the uniform 
distribution on the variety. 

It is shown in [8] that almost uniform generation of NP witnesses (with respect to 
the statistical distance) is possible without using an NP oracle for self-reducible relations 
for which the size of the solution space can be efficiently approximated. The relation 
underlying the variety sampling problem consists of a set of n-variate polynomials over F 
and a point x E F n , and it holds if and only if x is a common zero of the polynomials. 
Obviously, assuming that field operations can be implemented in polynomial time, this is 
a polynomial-time verifiable relation. Moreover, the relation is self reducible, as any fixing 
of one of the coordinates of the witness x leads to a smaller instance of the problem itself, 
defined over n — 1 variables. Approximate counting of the witnesses amounts to giving a 
sharp estimate on the number of common zeros of the set of polynomials. Several such 
estimates are available. In particular, a result of Lang and WeiH| (Theorem I2.2j) that we 
will later use in the paper gives general lower and upper bounds on the number of rational 
points on varieties. Moreover, there are algorithmic results (see [H [2j [12| HH] and the 
references therein) that consider the problem of counting rational points on a given variety 
that belongs to a certain restricted class of varieties over finite fields. 

Thus, it appears that the result of [8] already covers the variety sampling problem. 
However, this is not the case because of the following subtleties: 

(1) Our relation is not necessarily self-reducible in the strong sense required by the con- 
struction of [8] . What required by this result is that partial fixings of the witness can 
be done in steps of at most logarithmic length (to allow for an efficient enumeration 
of all possible fixings). Namely, in our case, a partial fixing of x amounts to choosing 



This result can be seen as a consequence of the Weil theorem (initially conjectured in [18|1 which is an 
analog of the Riemann hypothesis for curves over finite fields. 
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a particular value for one of the n variables. The portion of x corresponding to the 
variable being fixed would have length log q, and in general, this can be much larger 
than 0(log |x|). 

(2) The general Lang- Weil estimate gives interesting bounds only when the underlying 
field is fairly large. 

(3) The algorithmic results mentioned above, being mostly motivated by cryptographic 
or number-theoretic applications such as primality testing, focus on very restricted 
classes of varieties, for instance, elliptic p3] or hyperelliptic pQ curves (or general 
plane curves [7] that are only defined over a constant number of variables), or 
low-dimensional Abelian varieties [2]. Moreover, they are efficient in terms of the 
running time with respect to the logarithm of the field size and the dependence on 
the number of variables or the degree (whenever they are not restricted to constants) 
can be exponential. 

Hence, over large fields, fine granularity of the self-reduction cannot be fulfilled and 
over small fields, no reliable and efficient implementation of a counting oracle is available 
for our problem, and we cannot directly apply the general sampler of [Hj. In this work, we 
construct an efficient sampler that directly utilizes the algebraic structure of the problem. 
The main theorem that we prove is the following: 

Theorem 1.1. (Main theorem) Let the integer k > be any absolute constant, n > k and 
d > be positive integers, e > be an arbitrarily small parameter, and q be a large enough 
prime power. Suppose that /i, ...,/& G F g [:ci, ... , x n ] are polynomials, each of total degree 
at most d, whose set of common zeros defines an affine variety V C F™ of co-dimension k. 
There is a randomized algorithm that, given the description of fx , . . . , and the parameter 
e, outputs a random point v G F™ such that the distribution of v is (6 /q l ~ e ) -close to the 
uniform distribution on V . The worst case running time of the algorithm is polynomial in 



Though we present the above result for affine varieties, our techniques can be readily 
applied to the same problem for projective varieties as well. At a high level, the algorithm is 
simple and intuitive, and can be roughly described as follows: To sample a point on a variety 
V of co-dimension k, we first sample a /c-dimensional affine subspace A uniformly at random 
and then a random point on V(~)A. To make the analysis clear, we show (in Section [3]) that 
the problem can be viewed as a sampling problem on almost regular bipartite graphs, where 
one can sample a left vertex almost uniformly by picking the left neighbor of a random edge. 
The main part of the analysis (Section [4]) is to show why this reduction holds, and requires 
basic tools from Algebraic Geometry, in particular the Lang- Weil estimate on the number 
of points on varieties (Theorem 12.21) . and details on how to deal with problems such as 
varying dimension and size of the intersection V D A. The reduction combined with the 
graph sampling algorithm constitutes the sampling algorithm claimed in the main theorem. 

Connection with Randomness Extractors 

Trevisan and Vadhan |17] introduced the notion of samplable sources as probability 
distributions that can be sampled using small, e.g., polynomial-sized, boolean circuits. An 
extractor for samplable sources is a deterministic function whose output, when the input is 

2 We consider an explicit description of polynomials given by a list of their nonzero monomials. 
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randomly chosen according to any samplable distribution, has a distribution that is statis- 
tically close to uniform. Assuming the existence of certain hard functions, they constructed 
such extractors. 

As a natural class of samplable distributions, Dvir, Gabizon and Wigderson [6] consid- 
ered the class of distributions that are samplable by low-degree multivariate polynomials. 
They gave a construction of extractors for such sources over sufficiently large finite fields 
that does not rely on any hardness assumption and achieves much better parameters. More- 
over, they introduced the dual notion of algebraic sources that are defined as distributions 
that are uniform on rational points of low-degree affine varieties, and asked whether effi- 
cient extractors exist for such sources. Our main theorem shows that algebraic sources (for 
a wide range of parameters) are close to samplable distributions, and hence, any extractor 
for samplable distributions is also an extractor for such algebraic sources. Very recently, 
Dvir [5] gave a direct and unconditional construction of an extractor for algebraic sources 
when the field size is sufficiently large. 

2. Preliminaries and Basic Facts 

We will use a simple form of the well known Schwartz-Zippel lemma and a theorem by 
Lang and Weil for bounding the number of the points on a variety: 

Lemma 2.1. (Schwartz-Zippel) [15U19] Let f be a nonzero n-variate polynomial of degree 
d defined over a finite field W q . Then the number of zeros of f is at most dq 71 ^ 1 . m 

Theorem 2.2. (Lang- Weil) [10] Let n, d, r be positive integers. There exists a constant 
A(n, d, r) depending only on n, d, r such that for any irreducible r -dimensional variety V 
of degree d defined in a projective space P n over a finite field W q , we have \N — q r \ < 
(d— l)(d—2)q r ~~2 +A(n, d, r)q r ~ 1 , where N is the number of rational points of V over W q . m 

This theorem can be generalized to the case of reducible varieties as follows: 

Corollary 2.3. Letn,d,r be positive integers. There exists a constant A' (n,d,r) depending 
only on n,d,r and a constant 5(d) depending only on d and integer s, 1 < s < d, such that 
for any r-dimensional variety V of degree d defined in a projective space P" over a finite 
field W q we have \N — sq r \ < 5(d)q r ~2 + A'(n, d, r)q r , where N is the number of rational 
points of V over W q . 

Proof. Let V1UV2U. . .UT4, where 1 < t < d, be a decomposition of V into distinct irreducible 
components and denote the set of r-dimensional components in this decomposition by S. 
Let s := Note that each component Vi ^ S has dimension at most r — 1 and by 

Theorem 12. 2\ the number of points on the union of the components outside S is negligible, 

3 

namely, at most A"q r ~ 2 where A" is a parameter depending only on n, d, r. Hence to prove 
the corollary, it suffices to bound the number of points on the union of the components in 
S. 

For each component Vi 6 S we can apply Theorem 12.21 which implies that the number 
of points of Vi in P n , assuming that its degree is di, is bounded from q r by at most (di — 
l)(di — 2)q r ~z + aiq r ~ 1 , for some ojj that depends only on n,di,r. This upper bounds the 
number of points of V by 

s 

^\V i \<sg r + S 1 g r -^+A 1 g r - 1 , 

i=l 
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where <5i = Xri=i(^» ~ — 2) < d 2 (from the fact that Yli=i — d) and A\ = Ylt=x a «- 
Note that A\ and 5\ can be upper bounded by quantities depending only on n, d, r and d, 
respectively. This proves one side of the inequality. 

For the lower bound on |V|, we note that the summation above counts the points 
at the intersection of two irreducible components multiple times, and it will be sufficient 
to discard all such points and lower bound the number of points that lie on exactly one 
of the components. Take a distinct pair of the irreducible components, Vi and Vj. The 
intersection of these varieties defines an (r — l)-dimensional variety, which by the upper 
bound we just obtained can have at most Sijq r ~ 1 + 52q r ~ 1 ' 5 + A 2 q r ) points, for some 
Sij < d 2 , and parameters 5 2 depending only on d and A2 depending on n,k,r. Hence, 
considering all the pairs, the number of points that lie on more than one of the irreducible 
components is no more than (%)(d 2 q r - 1 + 6 2 q r ~ 1 - 5 + A 2 q r - 2 ), which means that the number 
of distinct points of V is at least Y2t=x 1^1 — d A q r ~ l — d 2 5 2 q r ~z — d 2 A2q r ~ 2 , which is itself 
at least sq r - 5 iq r ~^ - (A 1 + d 4 )q r ~ l - d 2 S 2 q r -^ - d 2 A 2 q r ~ 2 . Taking (crudely) A'(n, d, r) d = 
A\ + d 2 A2 + d A + d 2 &2 + A" and S = 5\ proves the corollary. ■ 

Remark 2.4. Corollary 12 . 31 also holds for affine varieties. An affine variety V can be seen as 
the restriction of a projective variety V to the affine space, where no irreducible component 
of V is fully contained in the hyperplane at infinity. Then the affine dimension of V will be 
the (top) dimension of V, and the bound in Corollary 12.31 holds for V if the affine dimension 
of the variety is taken as the parameter r in the bound. This is because each irreducible 
component of V intersects the hyperplane at infinity at a variety of dimension less than 
r, and by Theorem 12.21 adding those points to the estimate will have a negligible effect of 

3 

order q r ~2. 

Finally, we review some basic notions that we use from probability theory. The sta- 
tistical distance (or total variation distance) of two distributions X and y defined on the 
same finite space S is defined as \ X^sgs I P r Af(s) — Pry(s)|, where Pr^> and Pry denote the 
probability measures on S defined by the distributions X and y, respectively. Note that 
this is half the l\ distance of the two distributions when regarded as vectors of probabilities 
over S. It can be shown that the statistical distance of the two distributions is at most e if 
and only if for every T C S, we have | Pr^[T] — Pry[T]| < e. When the statistical distance 
of X and y is at most e, we say that X and y are e-close. We will also use the notion of a 
convex combination of distributions, defined as follows: 

Definition 2.5. Let X±, X 2 , ■ ■ ■ , X^ be probability distributions on a finite set S and 
ax, a 2 , ■ ■ ■ , ot-k be nonnegative real values that sum up to 1. Then the convex combina- 
tion a\X\ + 02^2 + • • • + a n X n is a distribution X on 5 given by the probability measure 

Pr^(x) d = Ya=i a i Pr ^(a;), for x £ S. 

There is a simple connection between convex combinations and distance of distributions: 

Proposition 2.6. Let X, y, and £ be probability distributions on a finite set S such that 
for some 0<e<l, X = (1 — e)y + e£. Then X is e-close to y. m 



282 



M. CHERAGHCHI AND A. SHOKROLLAHI 



3. A Vertex Sampling Problem 

In this section we introduce a sampling problem on graphs, and develop an algorithm 
to solve it. We will later use this algorithm as a basic component in our construction of 
samplers for varieties. The problem is as follows: 

Problem 3.1. Let G be a bipartite graph defined on a set C of left vertices and 1Z of right 
vertices. Suppose that the degree of every vertex on the right is between 1 and d, for some 
d > 1, and the degree of every vertex on the left differs from an integer I by at most bt. We 
are given an oracle RSamp(G ! ) that returns an element of 1Z chosen uniformly at random 
(and independently at each call), and an oracle RNei(u) that returns the neighbor list of 
a given vertex v E 1Z. Construct an algorithm that outputs a random vertex in C almost 
uniformly. 

Intuitively, for a bipartite graph which is regular from left and right, sampling a vertex 
on the left amounts to picking a random edge in the graph, which is in turn possible by 
choosing a random edge connected to a random vertex on the right side. Here of course, 
the graph is not regular, however the concentration of the left degrees around I allows us to 
treat the graph as if it were regular and get an almost uniform distribution on C by picking 
a random edge. We will compensate the irregularity from right by using a "trial and error" 
strategy. The pseudocode given in Algorithm Q] implements this idea. The algorithm in fact 
handles a more general situation, in which a call to RSamp can fail (and return a special 
failure symbol _L) with some probability upper bounded by a given parameter p. 

Algorithm 1 BipartiteSample 

Require: G, RSamp, RNei given as in Problem 13.11 and p denoting the failure probability 
of RSamp. 

1: Let 5, d be as in Problem 13.11 

3: while t > do 

4: t <- t- 1; R^- RSamp(G) 

5: if R then 

6: V <- RNei(i?) 

7: With probability |V|/d, output an element of V uniformly at random and return. 

8: end if 

9: end while 

10: Output an arbitrary element of C. 



Lemma 3.2. The output distribution of Algorithm^ is supported on C and is 35/(1 — 8)- 
close to the uniform distribution on C 

Proof. First we focus on one iteration of the while loop in which the call to RSamp has 
not failed, and analyze the output distribution of the algorithm conditioned on the event 
that Line 7 returns a left vertex. In this case, one can see the algorithm as follows: Add 
a special vertex vq to the set of left vertices C Bring the degree of each right vertex up 
to d by connecting it to vq as many times as necessary. Hence, the graph G now becomes 
(i-regular from right. Now the algorithm picks a random element R £ 1Z and a random 
neighbor of R and independently repeats the process if vq is picked as a neighbor. 
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Let T C C be a non-empty subset of the left vertices (excluding vq) in the graph. We 
want to estimate the probability of the event T. We can write this probability as follows: 

Pr[T] = Pr[T \R = r] Pr[R = r) = -L J] Pr[T |i? = r ] = _L]T|Tn r(r)| , 
reft ' ' reK ' ' reft 

where in the last equation T(r) is the set of neighbors of r in the graph. Hence the summation 
can be simplified as the number of edges connected to T. This quantity is in the range 
|T|£(1 ± 5), because the left degrees are all concentrated around £, ignoring vq which is by 
assumption not in T. That is, 

Pr[T] = Pr[T,^ ] = |^(l±<r>, (3.1) 

where we use the shorthand (1 ± 8) to denote a quantity in the range [1 — 8, 1 + 8} . 

Hence the probabilities of all events that exclude v$ are close to one another, which im- 
plies that the distribution of the outcome of a single iteration of the algorithm, conditioned 
on a non-failure, is close to uniform. We will now make this statement more rigorous. 

The degree of can be estimated as 

deg(v ) = d\U\ - \£\£(l±8) 

by equating the number of edges on the left and right side of the graph. Similar to what 
we did for computing the probability of T we can compute the probability of picking vq as 

PrW = ^de gW = l-^(l ±a) . 
Combining this with (|3.ip we get that 



l-Pr(«o) \C\ \ 1-8, 

Hence, the output distribution of a single iteration of the while loop, conditioned on a 
non-failure (i.e., the event that the iteration reaches Line 7 and outputs an element of C) is 
25/(1 — 5)-close to the uniform distribution on C. Now denote by ip the failure probability. 
To obtain an upper bound on tp, note that the probability of sampling vq at Line 7 of the 
algorithm is at most (d — l)/d since each vertex on the right has at least one neighbor 
different from vq. Hence, 

p<l - (l-p)/d (3.2) 
Now we get back to the whole algorithm, and notice that if the while loop iterates for up to 
to times, the output distribution of the algorithm can be written as a convex combination 

O = (1 - <p)V + (1 - <p)<pV + • • • + (1 - p)ip ta ~ 1 V + ip to S = (1 - (p to )V + <p t0 £, 

where T> is the output distribution of a single iteration conditioned on a non-failure and E 
is an arbitrary error distribution corresponding to the event that the algorithm reaches the 
last line. The coefficient of £ , for to > j^- ln(^^), can be upper bounded using (|3.2p by 



P «»<(' 1 -^*"' (¥, <^L. 

\ d J -1-5 

This combined with the fact that T> is 25/(1 — <5)-close to uniform and Proposition 
implies that O is 35/(1 — 5)-close to the uniform distribution on L. 



284 



M. CHERAGHCHI AND A. SHOKROLLAHI 



4. Sampling Rational Points on Varieties 

Now we are ready to describe and analyze our algorithm for sampling rational points 
on varieties. For the sake of brevity, we will present the results in this section for affine 
varieties. However, they can also be shown to hold for projective varieties using similar 
arguments. 

We reduce the problem to the vertex sampling problem described in the preceding 
section. The basic idea is to intersect the variety with randomly chosen affine spaces in F™ 
and narrowing-down the problem to the points within the intersection. Accordingly, the 
graph G in the bipartite sampling problem will be defined as the incidence graph of the 
points on the variety with affine spaces. This is captured in the following definition: 

Definition 4.1. Let V be an affine variety of co-dimension k in F™. Then the affine 
incidence graph of the variety is a bipartite graph G = (LU R,E) defined as follows: 

• The left vertex set is V, 

• For a /c-dimensional affine space A, we say that A properly intersects V if the 
intersection V n A is non-empty and has dimension zero. Then the right vertex set 
of G is defined as the set of /c-dimensional affine spaces in F™ that properly intersect 
V. 

• There is an edge between u G L and v G R if and only if the affine space v contains 
the point u. 

Before utilizing the vertex sampling algorithm of the preceding section, we need to 
develop the tools needed for showing that the affine incidence graph satisfies the properties 
needed by the algorithm. We begin with an estimate on the number of linear and affine 
subspaces of a given dimension. The estimate is straightforward to obtain, yet we include 
a proof for completeness. 



Proposition 4.2. Let F be a finite field of size q > \/2k, and let N± and N2 be the number 
of distinct k- dimensional linear and affine subspaces o/F n , respectively. Then we have 

(f) |iVi/g fe ( n - fe ) - 1| < 2k/q 2 , 

(2) |AT 2 /g(fe+i)(™-fc) - 1| < 2k/q 2 . 

Proof. If k = n, then N\ = N2 = 1, and the claim is obvious. Hence, assume that k < n. 
Denote by N^ n the number of ways to choose k linearly independent vectors in F n . That 
is, Nk^ n = (q n — l)(q n — <?)■■■ {q n — q k ~ V )- This quantity is upper bounded by q nk , and lower 
bounded by (q n — q k ~ 1 ) k > q nk (\ — kq k ~ 1 ~ n ) > q nk (l — k/q 2 ). Hence, the reciprocal of N^^ n 
can be upper bounded as follows: 

1 ^ -nk ( 1 , ^ 1 \ ^ --nk (a , ^ 



N Kn ^l-k/q 2 H V V I" k/q 2 J " * V V. 

where the last inequality follows from the assumption that q 2 > 2k. 

The number of fc-dimensional subspaces of F n is the number of ways one can choose k 
linearly independent vectors in F n , divided by the number of bases a /c-dimensional vector 
space can assume. That is, N± = Nk, n /Nk,k- By the bounds above, we obtain 

Ni <q nk ■q- k \l + 2k/q 2 ) and JVi > q nk {l - k/q 2 ) ■ q~ k \ 

which implies | N\/q k ^ n ~ k "> — 1| < 2k/q 2 . The second part of the claim follows from the 
observation that two translations of a /c-dimensional subspace A defined by vectors u and 
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v coincide if and only if u — v £ A. Hence, the number of affine fc-dimensional subspaces of 
F n is the number of fc-dimensional subspaces of F n multiplied by the number of cosets of 
A, i.e., N 2 = N iq n - k . m 



The following two propositions show that a good fraction of all /c-dimensional affine 
spaces properly intersect any affine variety of co-dimension k. 

Proposition 4.3. Let n, d, k be positive integers, and V C F™ be an affine variety of co- 
dimension k defined by the zero-set of k polynomials f±, . . . , fk £ F 5 [xi, . . . , x n ], each of de- 
gree at most d. Suppose that v £ V is a fixed point ofV . Then the fraction of k- dimensional 
affine spaces passing through v that properly intersect V is at least 1 — B(k,n,d)/q, where 
B(n,d,k) is independent of q and polynomially large inn,d,k. 

Proof. Without loss of generality, assume that v is the origin, and that q > 
by L the set of fe-dimensional linear subspaces that can be parametrized as 

/ Xk+l \ ( "11 • • • OLl k \ ( xi \ 



2k. Denote 



Xk+2 



V 



/ 



an 

«21 



\ "(n-fc)! 



aik 

Ct2k 



a 



(n-fc)fc / 



X 2 



\ X k J 



where a 

7 fc(n— k) 



def 



{an 



a (n-k)k] is a se t of indeterminates in W q . Note that \L\ 

q">v»-">j ^ and define the polynomial ring 1Z = f F g [an, . . . ,ar n _k)k\- We first upper bound 
the number of bad subspaces in L whose intersections with V have nonzero dimensions. 
Substituting the linear forms defining Xk+i, ■ ■ ■ , x n in /i, . . . , we see that the intersection 
of V and the elements of L is defined by the common zero-set of polynomials g%, . . . ,gk £ 
X\, . . . , Xk], where for each i £ [k], 

9i(xi, ...,x k ) d = fi(xi, . . . ,Xk,axxX\ H h ai k x k , . . . ,a (n _ fc) iXi H h a^ n _ k )k x k)- 

Each gi, as a polynomial in xi, ■ ■ ■ , Xk, has total degree at most d and each of its coefficients 
is a polynomial in an, . . . , a^ n _k)k of total deg ree at most d. Denote by / C 7Z.[xi, • • • , Xk] 
the ideal generated by gi, ■ ■ ■ g k - For every j £ [n], the ideal / n lZ[xj] is generated by a 
polynomial hj. Each coefficient of hj can be written as a polynomial in 7?. with total degree 
at most D, where for a fixed k, D is polynomially large in d. This can be shown using an 
elimination method, e.g., generalized resultants or Grobner bases (cf. [H HH [5]). Take any 
coefficient of hj which is a nonzero polynomial in 1Z. The number of the choices of a which 
makes this coefficient zero is, by Lemma 12. 11 at most Dq k ( n ~ k ^~ 1 . This also upper bounds 
the number of the choices of a that make hj identically zero. 

A union bound shows that for all but at most nDq k ( n ~ k ^~ 1 choices of a none of the 
polynomial hj is identically zero, and hence the solution space of g% , . . . , gk is zero dimen- 
sional (and obviously non-empty, as we already know that it contains v). This gives an 
upper bound of nD/q on the fraction of bad subspaces in L. 

By Proposition 14.21 the set L contains at least a 1 — 2k /q 2 fraction of all /c-dimensional 
subspaces of F™. Hence, the fraction of fc-dimensional subspaces of F^ that properly inter- 
sect V is at least 

2/,-^ ^ nl)'^ f ^ 2k + nir 



1 - -77 



def 



The claim follows by taking B = 2k 



q 

nD. 



> 1 
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Proposition 4.4. Let k, n, d be positive integers, and V C F™ be an affine variety of co- 
dimension k defined by the zcvo-sct of h polynomials . . . , ffc £ IF^[xi, . . . , x n ], each of 
degree at most d. The fraction of k-dimensional affine subspaces that properly intersect V 
is at least 

d-k(i 5 ( d ) A'(n,d,n-k)+B(n,d,k) 



where 5(-), A' (■), B(-) are as in Corollary 1 2. 3\ and Proposition \4-3\ 

Proof. We use a counting argument to obtain the desired bound. Denote by N, Ni, and N 2 
the number of points of V, the number of fc-dimensional subspaces and fc-dimensional affine 
subspaces in F™, respectively. Then Corollary 12.31 (followed by Remark I2.4[) implies that 

N > sq n ~ k - 5(d)q n - k -^ - A'(n, d,n- k)q n - k -\ 

for some s G [d k ] (as the degree of V is at most d k ). 

By Proposition 14.31 f° r every v G V, at least iVi(l — B(n,d,k)/q) affine subspace pass 
through v and properly intersect V. Hence in total N ■ Ni(l — B(n,d,k)/q) affine spaces 
properly intersect V, where we have counted every such affine space at most d k times (This 
is because the intersection of V and an affine space A that properly intersects it is of size 
at most d k , and A is counted once for each point at the intersection). Thus, the fraction of 
distinct affine subspaces that properly intersect V is at least 

NN^l- B(n,d,k)/q) 
d k N 2 ' 

By the fact that ./V2 = N\q n ~ k and the lower bound on N, we conclude that this fraction 
is at least 

d -k ( s _ 8 JS. _ A'(n,d,n-k) \ ( _ B(n,d ,k)' 

V 1 / V Q 

As s > 1, this proves the claim. ■ 

Now having the above tools available, we are ready to give the reduction from variety 
sampling to the vertex sampling problem introduced in the preceding section and prove our 
main theorem: 

Proof of Theorem II. 1L Let G = (L U R, E) be the affine incidence graph of V. We will 
use Algorithm [T] on G. To show that the algorithm works, first we need to implement the 
oracles RSamp and RNei that are needed by the algorithm. 

The function RSamp simply samples a A:-dimensional affine space of F™ uniformly at 
random, and checks whether the outcome A properly intersects V. To do so, one can param- 
etrize the affine subspace as in the proof of Proposition 14.31 and substitute the parametriza- 
tion in f\, . . . , fj, to obtain a system of k polynomial equations in k unknowns, each of degree 
at most D which is polynomially large in d. As k is an absolute constant, it is possible 
to solve this system in polynomial time using multipolynomial resultants or the Grobner 
bases method combined with backward substitutions. If at any point, the elimination of 
all but any of the variables gives the zero polynomial, it turns out that the system does 
not define a zero-dimensional variety and hence, A does not properly intersect V. Also, if 
the elimination results in a univariate polynomial that does not have a solution in W q , the 
intersection becomes empty, again implying that A does not properly intersect V. In both 
cases RSamp fails, and otherwise, it outputs A. Furthermore, if the intersection is proper, 
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the elimination method gives the list of up to D k points at the intersection, which one can 
use to construct the oracle RNei. 

Now we need to show that the graph G satisfies the conditions required by Lemma [3 .21 
By the argument above, the degree of every right vertex in G is at least 1 and at most D k , 
which is polynomially large in d. Let p denote the failure probability of RSamp. Then Propo- 
sition H3] implies that p < d~ k /2 when q > max{165 2 (d) , A(A!(n, d, n — k) + B(n,d,k))}. 

To bound the left degrees of the graph, note that each left node, which is a point on V, is 
connected to all A>dimensional affine subspaces that properly intersect V and pass through 
the point. The number of such spaces is, by Proposition 14,21 a t most q k ( n ~ k ^(l + 2k/q 2 ) 
(assuming q > \/2k), and by combination of Proposition 14.21 and Proposition 14.31 at least 

q k(n-k) ^ _ —^(l - B ^ d ) \ > q Kn-k) L _ 2k + B(k,n,d) ^ ^ 

Now if we choose q > (2k + B(k, n, d)) l / e , the left degrees become concentrated in the range 
q k (n-k)(i ± l/gl-e). 

Putting everything together, now we can apply Lemma [3.2l to conclude that the output 
distribution of the algorithm is (6/g 1-e )-close to the uniform distribution on V. 

To show the efficiency of the algorithm, first note that Algorithm [1] calls each of the 
oracles RSamp and RNei at most 

In [—^-) <2D k (l-e)\nq 

1-p V Q ) 

times, which is upper bounded by a polynomial in d, Inq. Hence it remains to show that 
the implementation of the two oracles are efficient. The main computational cost of these 
functions is related to the problem of deciding whether a system of k polynomial equations of 
bounded degree in k unknowns has a zero dimensional solution space, and if so, computing 
the list of at most D k solutions of the system. As in our case A; is a fixed constant, 
elimination methods can be efficiently applied to reduce the problem to that of finding the 
zero-set of a single uni-variate polynomial of bounded degree. A randomized algorithm is 
given in [13] for this problem that runs in expected polynomial time. Thus, we can use this 
algorithm as a sub-routine in RSamp and RNei to get a sampling algorithm that runs in 
expected polynomial time. Then it is possible to get a worst-case polynomial time algorithm 
by using a time-out trick, i.e., if the running time of the sampler exceeds a (polynomially 
large) threshold, it is forced to terminate and output an arbitrary point in F™. The error 
caused by this can increase the distance between the output distribution of the sampler and 
the uniform distribution on V by a negligible amount that can be made arbitrarily small 
(and in particular, smaller than l/g 1_e ), and hence, is of little importance. 

Finally, we need an efficient implementation of the field operations over W q . This is 
again possible using the algorithm given in [13]. Moreover, when the characteristic of the 
field is small, deterministic polynomial time algorithms are known for this problem [16]. ■ 

5. Concluding Remarks 

We showed the correctness and the efficiency of our sampling algorithm for varieties 
of constant co-dimension over large fields. Though our result covers important special 
cases such as sampling random roots of multivariate polynomials, relaxing either of these 
requirements is an interesting problem. In particular, it remains an interesting problem 
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to design samplers that work for super-constant (and even more ambitiously, linear in n) 
co-dimensions (in our result, the dependence of the running time on the co-dimension is 
exponential and thus, we require constant co-dimensions). Moreover, in this work we did 
not attempt to optimize or obtain concrete bounds on the required field size, which is 
another interesting problem. Finally, the error of our sampler (i.e., the distance of the 
output distribution from the uniform distribution on the variety) depends on the field size, 
and it would be interesting to bring down the error to an arbitrary parameter that is given 
to the algorithm. 
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